=================================== Lacing, pizza, and IPsec failures =================================== Recently I have finally tried Ian's shoelace knot tying method: it produces a regular bow knot, but a tiny bit faster, and it feels neat to tie it with fewer movements. I'm not sure if it is quite as secure as the regular method, since it is harder to keep it tensioned, but seems to be fine. Then I decided to go further and investigate lacing methods on Ian's Shoelace Site (it is at fieggen.com). Found "Ukrainian lacing", which "traps" the starting knot, so that you don't have to tie it again. It has a drawback of the last pair of eyelets being left untensioned, but its fourth variation solves that. So I tried it (after briefly trying the third variation), and though it sort of works, so far (after more than a month) I find it slower to both tie and untie shoes with that kind of lacing: quick release is lost, so untying is a bit annoying, while for tying it is tricky to find the correct runs of the shoelace: you get a tangle of those, at least with certain kinds of shoes and shoelaces. Maybe I'll try it again on summer shoes, but going to redo the lacing back to regular crisscross lacing. Oh, and tensioning seemed even harder to do well with Ukrainian lacing. In other news, I keep cooking things occasionally, and most of them turn out fine, but I rather messed up a couple of pizzas recently: tried a new pizza dough recipe (with more precise measurements than the ones I used before), but ended up tearing the dough (pizza base) while trying to transfer it to the assembly surface, and tearing it worse yet when tried to transfer it to the cooking surface (a baking sheet). Maybe stretched it too thinly, and/or didn't knead enough. Had to form it from scratch, but then it wasn't as neat as it should be. The other one I have just assembled on a baking sheet. And the oven temperature was below 200 degrees Celsius, in the end it didn't turn as airy/bubbly as I hoped. Though it tasted fine, and wasn't bad at all if compared to frozen pizzas. And today I looked into opportunistic IPsec again. Perhaps after looking into IPsec at work, or poking other network-related stuff there, I'm rather excited about playing with the related technologies more, including VPNs. Libreswan's (wiki) documentation is confusing: apparently it was planned to add DNS query interception, IPSECKEY retrieval, and connection setup a few years and one major version ago, but unclear where that went. There was oe.libreswan.org for testing, with IPSECKEY set for the domain, but apparently it is down now. And libreswan's /etc/ipsec.d/policies/private-or-clear configuration file suggests that ideally opportunistic encryption should be enabled for every host on the Internet, but it's unclear how it is supposed to work, since with rightrsasigkey=%dnsondemand it only tries to check IPSECKEY in reverse DNS (which fails for oe.libreswan.org). Then there is strongSwan, which has an ipseckey module, but it doesn't seem to be included in Debian, and not much about opportunistic encryption is in sight there; only found some issue on an issue tracker, mentioning that it would be nice to introduce someday, and then left silent for years. Then there is the Unbound caching DNS server: it can be compiled with ipsecmod, which apparently issues an IPSECKEY request along with A/AAAA requests, runs a configurable hook executable before returning the A/AAAA result, and may be used to configure an IPsec daemon using the discovered key and address. Doesn't require much of special handling (beyond addition of a key/host, though even that can be hacked via configuration files) from an IKE daemon, so perhaps can be used with strongSwan as well. But Unbound on Debian 11 comes without that module compiled, and building it manually would lead to a rather awkward setup, for very little benefit. I guess it can be made to work that way, but I don't hope to find many servers configured for that in the wild, IPSECKEY should probably be replaced with DANE's IPSECA, and then there will be this hacky setup. Just too awkward and not very useful overall. Though it still does seem potentially nice: to sort out confidentiality, integrity, and server authentication with opportunistic IPsec, and to use simple protocols (including Gopher) on top of it. Relying just on the DNSSEC trust chain, without X.509's PKIX. And then there is WireGuard, which seems to have some additional neat features (such as roaming), yet apparently it is not intended to handle opportunistic encryption with arbitrary Internet hosts: it can be hacked together, but there are no standards. Possibly I will build Unbound with ipsecmod and try to set such IPsec OE later, once will be more bored and will have more of spare time, but postponing it again for now. ---- :Date: 2023-03-19